https://feed.craftedsignal.io/tags/privilege_escalation/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioWed, 29 Apr 2026 20:16:26 +0000https://feed.craftedsignal.io/briefs/2026-04-sysgauge-bo/Wed, 29 Apr 2026 20:16:26 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-sysgauge-bo/SysGauge Pro 4.6.12 is vulnerable to a local buffer overflow in the Register function, allowing local attackers to overwrite the structured exception handler and execute arbitrary code by supplying a crafted unlock key during registration.SysGauge Pro version 4.6.12 is susceptible to a local buffer overflow vulnerability (CVE-2018-25307) within its registration process. This vulnerability allows a local attacker to gain arbitrary code execution with the privileges of the SysGauge Pro application. Specifically, by providing a maliciously crafted “Unlock Key” during the registration, an attacker can overwrite the Structured Exception Handler (SEH). This overwrite allows the injection of shellcode, leading to the execution of attacker-controlled code within the context of the application. This is a local vulnerability, meaning the attacker needs local system access to exploit it. The report dates back to 2018, but was only recently published in the NVD database.

Attack Chain

1. Attacker gains local access to the target system.
2. Attacker identifies that SysGauge Pro 4.6.12 is installed.
3. Attacker launches SysGauge Pro.
4. Attacker initiates the registration process within SysGauge Pro.
5. Attacker provides a crafted “Unlock Key” containing shellcode designed to overwrite the Structured Exception Handler (SEH).
6. The application attempts to process the overly long “Unlock Key” without proper bounds checking.
7. The buffer overflow occurs, overwriting the SEH with the attacker’s shellcode address.
8. When an exception occurs within the application, the overwritten SEH is invoked, redirecting execution to the attacker’s shellcode, leading to arbitrary code execution with application privileges.

Impact

Successful exploitation of this vulnerability allows a local attacker to execute arbitrary code with the privileges of the SysGauge Pro application. This could lead to complete system compromise if the application is running with elevated privileges. The impact includes potential data theft, modification of system settings, or installation of malware. Given that this is a local exploit, the primary risk is to systems where untrusted users have local access.

Recommendation

• Monitor process creations for SysGauge Pro (SysGauge.exe) spawning unusual child processes to detect potential exploitation attempts, using a process_creation Sigma rule.
• Consider deploying application control or whitelisting to prevent execution of unsigned or untrusted executables within the SysGauge Pro process.
• Since no patch is available, consider uninstalling SysGauge Pro 4.6.12 from systems where the risk outweighs the benefit of the software.

]]>highadvisoryvulnerabilitybuffer_overflowprivilege_escalationhttps://feed.craftedsignal.io/briefs/2026-03-cli-escape/Tue, 24 Mar 2026 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-03-cli-escape/An unauthenticated remote attacker can exploit a hidden function in the CLI prompt to escape the restricted interface of a device, leading to full compromise and root access on the underlying Linux-based OS, as described in CVE-2026-3587.<p>CVE-2026-3587 describes a critical vulnerability affecting devices with a command-line interface (CLI). An unauthenticated remote attacker can exploit a hidden function within the CLI prompt to bypass intended restrictions and gain unauthorized access. This vulnerability allows the attacker to escape the restricted CLI environment and obtain root privileges on the underlying Linux-based operating system, leading to a complete system compromise. The vulnerability was reported by CERT VDE. A…</p> criticaladvisorycvecliprivilege_escalationlinuxhttps://feed.craftedsignal.io/briefs/2026-03-entra-id-federated-issuer-modified/Wed, 18 Mar 2026 21:22:55 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-03-entra-id-federated-issuer-modified/Modification of the issuer URL of a federated identity credential in Entra ID can allow an attacker to authenticate as the application's service principal, granting persistent access to Azure resources by pointing to an attacker-controlled identity provider and bypassing normal authentication.This detection identifies modifications to the issuer URL within a federated identity credential on an Entra ID application. Federated identity credentials enable applications to authenticate using tokens from external identity providers (e.g., GitHub Actions, AWS) without managing secrets. An attacker can exploit this by changing the issuer to an attacker-controlled identity provider, enabling them to generate valid tokens and authenticate as the application’s service principal. This technique provides persistent access to Azure resources with the application’s permissions, effectively bypassing traditional secret-based authentication. The detection logic focuses on the “Update application” event within Entra ID audit logs, specifically targeting changes to the “FederatedIdentityCredentials” property. It is applicable to environments using Azure and Entra ID and is relevant for defenders aiming to prevent unauthorized access and maintain the integrity of their cloud infrastructure.

Attack Chain

1. An attacker compromises an Entra ID account with sufficient privileges to modify application registrations.
2. The attacker navigates to the Entra ID portal or uses PowerShell/Azure CLI to locate a target application with federated identity credentials configured.
3. The attacker modifies the “Issuer” URL of an existing Federated Identity Credential within the application registration. They replace the legitimate issuer URL with a URL controlled by the attacker.
4. The attacker configures their own identity provider to issue tokens that match the application’s expected audience and subject claims.
5. The attacker crafts a malicious token from their identity provider, impersonating the legitimate service principal.
6. The attacker uses the crafted token to authenticate to Azure resources, bypassing normal authentication controls.
7. The attacker leverages the application’s permissions to access sensitive data, modify configurations, or deploy malicious code.
8. The attacker maintains persistent access to the Azure environment by continuing to use the compromised federated identity configuration.

Impact

Successful exploitation allows an attacker to gain persistent access to Azure resources with the permissions of the compromised application. This could lead to data breaches, unauthorized modifications to critical infrastructure, and deployment of malicious code within the cloud environment. The impact is significant because it bypasses traditional authentication methods and relies on a trust relationship established with an external identity provider. The rule is rated high severity because it directly addresses a persistence and privilege escalation technique that can severely impact the confidentiality, integrity, and availability of cloud resources.

Recommendation

• Enable the Azure integration with Microsoft Entra ID Audit Logs data stream to ingest data in your Elastic Stack deployment, as required by the rule setup instructions.
• Deploy the provided Sigma rule to your SIEM to detect unauthorized modifications to federated identity credential issuers in Entra ID (Entra ID Federated Identity Credential Issuer Modified).
• Review azure.auditlogs.properties.initiated_by.user.userPrincipalName and ipAddress logs to determine the source of detected changes, as recommended in the rule’s triage notes.
• Implement conditional access policies and PIM (Privileged Identity Management) to protect application management operations within Entra ID, as suggested in the rule’s response and remediation guidance.

]]>highadvisoryazureentra_idfederated_identitypersistenceprivilege_escalationhttps://feed.craftedsignal.io/briefs/2024-01-system-shells-via-services/Fri, 26 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-system-shells-via-services/Attackers may configure existing services or create new ones to execute system shells to elevate their privileges from administrator to SYSTEM, using services.exe as the parent process of the shell.Attackers may configure existing Windows services or create new ones to execute system shells, in order to elevate their privileges from administrator to SYSTEM. This tactic is used to gain SYSTEM permissions and establish persistence. The detection rule focuses on identifying instances where services.exe is the parent process of a command shell (cmd.exe, powershell.exe, pwsh.exe, powershell_ise.exe), indicating that a service is being abused to run a shell. The rule is designed to work with data from Elastic Defend, CrowdStrike, Microsoft Defender XDR, SentinelOne Cloud Funnel, Sysmon, and Windows Security Event Logs.

Attack Chain

1. Attacker gains initial access to the system with administrator privileges.
2. Attacker identifies a legitimate service or creates a new service to abuse for privilege escalation.
3. Attacker modifies the service configuration to execute a command shell (cmd.exe, powershell.exe, pwsh.exe, or powershell_ise.exe). This may involve modifying the service’s executable path or adding command-line arguments.
4. The system’s Service Control Manager (SCM) starts the service.
5. services.exe spawns the configured command shell process.
6. The command shell executes with SYSTEM privileges.
7. Attacker uses the SYSTEM shell to perform malicious activities, such as installing malware, accessing sensitive data, or creating new user accounts.
8. The service continues to run, providing persistent access to the system.

Impact

Successful exploitation leads to privilege escalation to SYSTEM, granting the attacker complete control over the compromised system. This can result in data theft, malware installation, or further lateral movement within the network. The rule has a risk score of 47 and is categorized as medium severity.

Recommendation

• Deploy the Sigma rule System Shells via Services to detect the execution of command shells spawned by services.exe within your SIEM environment, and tune for your environment.
• Investigate any process creation events where services.exe is the parent process of cmd.exe, powershell.exe, pwsh.exe, or powershell_ise.exe using the investigation guide provided in the content section.
• Review service creation and modification events in Windows Event Logs (Event IDs 4697 and 7045) for suspicious entries.
• Enable Sysmon process creation logging (Event ID 1) to capture detailed process information.
• Utilize osquery to retrieve detailed service information to identify potentially malicious services. Reference queries $osquery_0, $osquery_1, and $osquery_2 in the investigation guide.

]]>mediumadvisorypersistenceexecutionprivilege_escalationwindowshttps://feed.craftedsignal.io/briefs/2024-01-suspicious-service-installation/Fri, 12 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-suspicious-service-installation/This detection identifies the creation of new Windows services with suspicious command values, often used for privilege escalation and persistence by malicious actors.Attackers frequently abuse Windows services for persistence and privilege escalation. By creating or modifying services with malicious configurations, they can execute code with SYSTEM privileges. This rule detects suspicious service creations based on the image path, looking for services that point to command interpreters, scripts, or unusual locations. This activity is indicative of malicious actors attempting to establish persistence or escalate privileges within a compromised system. The detection focuses on identifying unusual command lines and file paths associated with newly created services based on Windows Event IDs 4697 and 7045.

Attack Chain

1. Initial Access: The attacker gains initial access to the system through various means.
2. Privilege Escalation: The attacker attempts to escalate privileges to SYSTEM.
3. Service Creation: The attacker creates a new Windows service using tools like sc.exe or modifies an existing one.
4. Image Path Modification: The attacker sets the service’s ImagePath to point to a command interpreter (e.g., cmd.exe, powershell.exe) or a script file.
5. Command Execution: The service executes the command interpreter or script with SYSTEM privileges.
6. Persistence: The attacker configures the service to start automatically on system boot, ensuring persistent access.
7. Malicious Activity: The attacker uses the elevated privileges to perform malicious activities, such as installing malware, stealing credentials, or compromising other systems.

Impact

Successful exploitation allows attackers to maintain persistent access to the compromised system with SYSTEM privileges. This can lead to complete system compromise, data theft, installation of ransomware, and lateral movement to other systems within the network. The impact includes potential data breaches, financial losses, and reputational damage.

Recommendation

• Enable Windows Security Event Logs and Windows System Event Logs to capture service creation events (Event IDs 4697 and 7045).
• Deploy the Sigma rule Suspicious Service Installation via ImagePath to your SIEM to detect suspicious service creations.
• Investigate any alerts generated by the Sigma rule by examining the service’s ImagePath and associated processes.
• Use the Osquery queries provided in the source to investigate existing services, unsigned executables, and drivers for suspicious characteristics.
• Monitor for registry changes related to service creation or modification.

]]>mediumadvisorypersistenceprivilege_escalationwindowsservice_creationhttps://feed.craftedsignal.io/briefs/2024-01-unusual-svchost-child-process/Thu, 04 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-unusual-svchost-child-process/This detection identifies unusual child processes of Service Host (svchost.exe) that traditionally do not spawn child processes, potentially indicating code injection or exploitation.The Windows Service Host process (svchost.exe) is a critical system component that hosts multiple Windows services to optimize resource utilization. Certain services running under svchost.exe are not expected to spawn child processes. Attackers may inject malicious code into these “childless” svchost processes to execute unauthorized commands and evade traditional detection methods. This detection rule identifies anomalies by monitoring child processes of svchost.exe instances associated with services known to be childless, such as WdiSystemHost, LicenseManager, and StorSvc, flagging potential process injection or exploitation attempts. The rule aims to identify deviations from the expected behavior of these services, providing an early warning of potential malicious activity.

Attack Chain

1. Attacker gains initial access to the system through an exploit or by leveraging existing credentials.
2. The attacker injects malicious code into a running svchost.exe process associated with a childless service like WdiSystemHost or StorSvc.
3. The injected code spawns a child process from the targeted svchost.exe instance. This could involve executing a system utility or a custom payload.
4. The child process executes commands or performs actions dictated by the injected code, such as establishing a reverse shell or downloading additional payloads.
5. The attacker uses the spawned process to perform reconnaissance activities, gathering information about the system and network.
6. The attacker escalates privileges, potentially leveraging vulnerabilities or misconfigurations accessible from the compromised svchost process.
7. The attacker moves laterally to other systems on the network, using the compromised system as a pivot point.
8. The attacker achieves their final objective, which may include data exfiltration, ransomware deployment, or establishing persistent access.

Impact

Successful exploitation can lead to privilege escalation, allowing attackers to gain control of the compromised system and potentially the entire network. Attackers can use the compromised system as a staging ground for further attacks, exfiltrate sensitive data, deploy ransomware, or disrupt critical services. The medium severity score reflects the potential for significant impact if the activity is not detected and contained promptly.

Recommendation

• Deploy the Sigma rule Unusual Svchost Child Process - Childless Service to your SIEM to detect potential process injection attacks targeting svchost.exe.
• Tune the rule by adding known false positives to the exclusion list, such as WerFault.exe, WerFaultSecure.exe, and wermgr.exe to reduce alert fatigue.
• Enable process creation logging via Sysmon (Event ID 1) with command line details for better visibility into spawned processes, as described in the setup guide.
• Investigate any alerts generated by the rule, focusing on the process details and parent-child relationships to determine the legitimacy of the spawned process.
• Consider using endpoint detection and response (EDR) solutions like Elastic Defend for enhanced visibility and automated response capabilities, as the rule is designed for data generated by Elastic Defend.

]]>mediumadvisoryprocess_injectionprivilege_escalationdefense_evasionwindowshttps://feed.craftedsignal.io/briefs/2024-01-too-many-global-admins/Wed, 03 Jan 2024 14:30:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-too-many-global-admins/Detection of an excessive number of Global Administrator accounts assigned within an Azure tenant, indicating potential privilege escalation or compromised accounts.The presence of an excessive number of Global Administrator accounts in an Azure tenant poses a significant security risk. While the source does not attribute this activity to a specific threat actor, the risk event indicates a potential compromise of existing accounts, internal privilege abuse, or misconfiguration within the Azure environment. The alert triggers when the number of Global Administrator assignments exceeds a predefined threshold within Privileged Identity Management (PIM). Attackers may abuse highly privileged accounts to gain broad control over the Azure environment, deploy malicious workloads, exfiltrate data, or establish persistence.

Attack Chain

1. Initial Compromise: An attacker compromises a low-privilege user account through phishing or credential stuffing.
2. Privilege Escalation: The attacker attempts to elevate privileges by exploiting misconfigured permissions or vulnerabilities within the Azure environment.
3. Global Admin Role Assignment: The attacker assigns the Global Administrator role to multiple accounts, including the compromised account, either directly or through PIM bypass.
4. Lateral Movement: With Global Administrator privileges, the attacker moves laterally within the Azure environment, accessing sensitive resources and data.
5. Data Exfiltration: The attacker exfiltrates sensitive data from cloud storage, databases, or virtual machines.
6. Persistence: The attacker establishes persistent access by creating backdoors, modifying access controls, or deploying rogue applications.
7. Covering Tracks: The attacker attempts to remove audit logs or disable security features to hide their activity.

Impact

The compromise of Global Administrator accounts can lead to significant damage, including data breaches, financial loss, and reputational damage. Excessive admin accounts significantly widen the attack surface and increase the likelihood of successful attacks. The impact includes unauthorized access to sensitive data, disruption of business operations, and potential regulatory fines.

Recommendation

• Deploy the Sigma rule “Too Many Global Admins” to your SIEM and tune the threshold for your environment to detect excessive Global Administrator assignments in Azure PIM.
• Review and reduce the number of Global Administrator accounts to the minimum necessary.
• Implement multi-factor authentication (MFA) for all privileged accounts.
• Monitor Azure audit logs for suspicious activity related to role assignments and privilege elevation.
• Regularly review and update PIM policies to ensure appropriate access controls.

]]>highadvisoryazurepimglobal_adminprivilege_escalationhttps://feed.craftedsignal.io/briefs/2024-01-ad-privileged-group-addition/Wed, 03 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-ad-privileged-group-addition/Adversaries may add a user to a privileged group in Active Directory, such as Domain Admins, to maintain persistent access and elevate privileges within the domain.Attackers often target Active Directory (AD) to gain control over a network. Adding a user account to a highly privileged group, such as Domain Admins or Enterprise Admins, is a common tactic for establishing persistence and escalating privileges. By compromising an account with the ability to manage group memberships or exploiting vulnerabilities, an attacker can add their own rogue account to a privileged group, granting them extensive control over the AD domain. This activity might go unnoticed amidst legitimate administrative actions, making it a stealthy method of maintaining unauthorized access. This is a common technique employed after initial compromise to ensure long-term access to critical systems and data. Detecting such additions requires careful monitoring of AD security logs for specific events related to group membership changes.

Attack Chain

1. Initial compromise of a low-privileged user account through phishing or credential theft.
2. Lateral movement to a system with access to Active Directory management tools.
3. Privilege escalation to an account with permissions to modify group memberships (e.g., leveraging exploits or credential dumping).
4. Use of AD management tools (e.g., Active Directory Users and Computers, PowerShell with AD module) to add the attacker-controlled user account to a privileged group, such as Domain Admins (RID 512).
5. The attacker logs in with the newly privileged account.
6. The attacker uses their elevated privileges to access sensitive data, install backdoors, or perform other malicious activities.
7. The attacker may attempt to remove the initially compromised account to remove traces of their activities.

Impact

Successful addition of an attacker-controlled user to a privileged AD group grants them near-total control over the domain. This can lead to widespread data breaches, ransomware deployment across the entire network, compromise of sensitive systems, and long-term disruption of business operations. The impact can extend to all domain-joined systems and resources, potentially affecting thousands of users and devices. Remediation often requires a complete rebuild of the Active Directory environment, resulting in significant downtime and financial losses.

Recommendation

• Enable “Audit Security Group Management” in Active Directory to generate the necessary security events for detecting group membership changes.
• Deploy the Sigma rule “User Added to Privileged Group in Active Directory” to your SIEM to detect suspicious additions to privileged groups, tuning the rule for known administrative accounts.
• Monitor for unexpected use of AD management tools, such as Active Directory Users and Computers or PowerShell with the AD module, especially from unusual source hosts.
• Investigate any alerts generated by the Sigma rule by verifying the legitimacy of the user adding members to the group and validating the need for the new member to have those privileges.
• Regularly review the membership of privileged groups and remove any unauthorized or unnecessary accounts.

]]>mediumadvisorypersistenceprivilege_escalationactive_directoryhttps://feed.craftedsignal.io/briefs/2024-01-svchost-cmd-spawn/Tue, 02 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-svchost-cmd-spawn/Detection of cmd.exe being spawned by svchost.exe, which is an unusual behavior indicative of potential masquerading or privilege escalation attempts on Windows systems.The Service Host process (svchost.exe) is a legitimate Windows system process designed to host multiple Windows services. It is not intended to be used by non-Windows services or to spawn command interpreters directly. This detection focuses on identifying instances where cmd.exe is launched as a child process of svchost.exe. This activity is highly suspicious and may suggest that a malicious process is masquerading as svchost.exe or that an attacker has gained control and is attempting privilege escalation or lateral movement within the compromised system. The rule leverages process monitoring logs to identify this anomalous parent-child relationship. The original Elastic detection rule was published in 2020, and updated in May 2026.

Attack Chain

1. Initial Compromise: An attacker gains initial access to a Windows system through various means, such as exploiting a vulnerability or using stolen credentials.
2. Privilege Escalation: The attacker attempts to escalate privileges to gain higher-level access to the system.
3. Service Exploitation: The attacker exploits a service hosted by svchost.exe or injects malicious code into a service process.
4. Command Execution: The attacker leverages the compromised service to spawn cmd.exe as a child process of svchost.exe.
5. Reconnaissance: The attacker uses cmd.exe to perform reconnaissance activities, such as gathering system information or network configuration details.
6. Lateral Movement: The attacker uses cmd.exe to move laterally to other systems on the network, potentially using stolen credentials or exploiting vulnerabilities.
7. Persistence: The attacker establishes persistence on the compromised system to maintain access even after a reboot.
8. Data Exfiltration or System Damage: The attacker exfiltrates sensitive data from the compromised system or damages the system to disrupt operations.

Impact

A successful attack can lead to privilege escalation, lateral movement, data theft, or system compromise. The impact could range from minor data breaches to significant disruptions of business operations, depending on the attacker’s objectives and the extent of the compromise. Since svchost.exe is a critical system process, any compromise could result in widespread damage across the affected system.

Recommendation

• Deploy the “Svchost spawning Cmd” Sigma rule to your SIEM to detect this suspicious parent-child relationship.
• Enable process monitoring with command-line logging on Windows endpoints to provide the necessary data for the Sigma rule to function.
• Investigate any alerts generated by the Sigma rule to determine the root cause and scope of the compromise.
• Review and harden the security configuration of Windows services to prevent exploitation.
• Enforce the principle of least privilege to limit the impact of a compromised service account.
• Use threat intelligence platforms to identify and block known malicious indicators associated with svchost.exe exploits.

]]>mediumadvisoryexecutionwindowsprocess_injectionprivilege_escalation